|author||Doug Rabson <dfr@FreeBSD.org>||2005-12-29 14:40:22 +0000|
|committer||Doug Rabson <dfr@FreeBSD.org>||2005-12-29 14:40:22 +0000|
Add a new extensible GSS-API layer which can support GSS-API plugins,
similar the the Solaris implementation. Repackage the krb5 GSS mechanism as a plugin library for the new implementation. This also includes a comprehensive set of manpages for the GSS-API functions with text mostly taken from the RFC. Reviewed by: Love Hörnquist Åstrand <firstname.lastname@example.org>, ru (build system), des (openssh parts)
Notes: svn path=/head/; revision=153838
Diffstat (limited to 'lib/libgssapi/gss_acquire_cred.3')
1 files changed, 238 insertions, 0 deletions
diff --git a/lib/libgssapi/gss_acquire_cred.3 b/lib/libgssapi/gss_acquire_cred.3
new file mode 100644
@@ -0,0 +1,238 @@
+.\" -*- nroff -*-
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
+.\" This document and translations of it may be copied and furnished to
+.\" others, and derivative works that comment on or otherwise explain it
+.\" or assist in its implementation may be prepared, copied, published
+.\" and distributed, in whole or in part, without restriction of any
+.\" kind, provided that the above copyright notice and this paragraph are
+.\" included on all such copies and derivative works. However, this
+.\" document itself may not be modified in any way, such as by removing
+.\" the copyright notice or references to the Internet Society or other
+.\" Internet organizations, except as needed for the purpose of
+.\" developing Internet standards in which case the procedures for
+.\" copyrights defined in the Internet Standards process must be
+.\" followed, or as required to translate it into languages other than
+.\" The limited permissions granted above are perpetual and will not be
+.\" revoked by the Internet Society or its successors or assigns.
+.\" This document and the information contained herein is provided on an
+.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+.\" The following commands are required for all man pages.
+.Dd November 12, 2005
+.Dt GSS_ACQUIRE_CRED 3 PRM
+.Nd Obtain a GSS-API credential handle for pre-existing credentials
+.\" This next command is for sections 2 and 3 only.
+.\" .Sh LIBRARY
+.Fa "OM_uint32 *minor_status"
+.Fa "const gss_name_t desired_name"
+.Fa "OM_uint32 time_req"
+.Fa "const gss_OID_set desired_mechs"
+.Fa "gss_cred_usage_t cred_usage"
+.Fa "gss_cred_id_t *output_cred_handle"
+.Fa "gss_OID_set *actual_mechs"
+.Fa "OM_uint32 *time_rec"
+Allows an application to acquire a handle for a pre-existing
+credential by name.
+GSS-API implementations must impose a local
+access-control policy on callers of this routine to prevent
+unauthorized callers from acquiring credentials to which they are not
+This routine is not intended to provide a "login to the
+network" function, as such a function would involve the creation of
+new credentials rather than merely acquiring a handle to existing
+Such functions, if required, should be defined in
+implementation-specific extensions to the API.
+If desired_name is
+.Dv GSS_C_NO_NAME ,
+the call is interpreted as a
+request for a credential handle that will invoke default behavior
+when passed to
+(if cred_usage is
+.Dv GSS_C_BOTH )
+(if cred_usage is
+.Dv GSS_C_BOTH ).
+Mechanisms should honor the
+and return a credential that is suitable to use only with the
+An exception to this is the case where one underlying credential
+element can be shared by multiple mechanisms;
+in this case it is permissible for an implementation to indicate all
+mechanisms with which the credential element may be used.
+is an empty set, behavior is undefined.
+This routine is expected to be used primarily by context acceptors,
+since implementations are likely to provide mechanism-specific ways
+of obtaining GSS-API initiator credentials from the system login
+Some implementations may therefore not support the acquisition of
+for any name other than
+.Dv GSS_C_NO_NAME ,
+or a name produced by applying either
+to a valid credential, or
+to an active context.
+If credential acquisition is time-consuming for a mechanism,
+the mechanism may choose to delay the actual acquisition until the
+credential is required
+.Fn gss_accept_sec_context ).
+Such mechanism-specific implementation
+decisions should be invisible to the calling application;
+thus a call of
+immediately following the call of
+must return valid credential data,
+and may therefore incur the overhead of a deferred credential acquisition.
+Name of principal whose credential should be acquired.
+Number of seconds that credentials should remain valid.
+to request that the credentials have the maximum
+Set of underlying security mechanisms that may be used.
+may be used to obtain an implementation-specific default.
+.Bl -tag -width "GSS_C_INITIATE"
+Credentials may be used either to initiate or accept security
+Credentials will only be used to initiate security contexts.
+Credentials will only be used to accept security contexts.
+The returned credential handle.
+associated with this credential handle must be released by
+the application after use with a call to
+.Fn gss_release_cred .
+The set of mechanisms for which the credential is valid.
+Storage associated with the returned OID-set must be released by the
+application after use with a call to
+.Fn gss_release_oid_set .
+.Dv NULL if not required.
+Actual number of seconds for which the returned credentials will
+If the implementation does not support expiration of credentials,
+will be returned.
+Specify NULL if not required.
+Mechanism specific status code.
+.Sh RETURN VALUES
+Unavailable mechanism requested.
+Type contained within desired_name parameter is not supported.
+Value supplied for desired_name parameter is ill formed.
+The credentials could not be acquired Because they have expired.
+No credentials were found for the specified name.
+.Sh SEE ALSO
+.Xr gss_init_sec_context 3 ,
+.Xr gss_accept_sec_context 3 ,
+.Xr gss_inquire_cred 3 ,
+.Xr gss_inquire_context 3 ,
+.Xr gss_release_cred 3 ,
+.Xr gss_release_oid_set 3
+.It RFC 2743
+Generic Security Service Application Program Interface Version 2, Update 1
+.It RFC 2744
+Generic Security Service API Version 2 : C-bindings
+.\" .Sh HISTORY
+manual page example first appeared in
+.Fx 7.0 .
+John Wray, Iris Associates